Briefly, to bypass the above prompt you must call the applet with the parameter __applet_ssv_validated set to true. The only way to manipulate this parameter is to use a java Network Launch Protocol file.

Regarding to oracle there are two ways to use JNLP in a page:

With the applet tag

With javascript only

Let's try first the example with the tag applet. The code we're going to run is the latest publicly available java exploit CVE-2013-2423.

After saving all these files in the same directory we try to load the page with firefox to check if it works. It works perfectly, no security warning prompted. But if you try to see the page with chrome the applet will not be loaded.

I think because chrome doesn't like jnlp files.

The second option is to use JavaScript instead of the tag applet. The first step is to create the jnlp file as before, then encode it to base64. Which differs from the previous method is the last step, that will look like this: